
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="zh_Hans">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 1.7.6 release notes &#8212; Django 3.2.6.dev 文档</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="索引" href="../genindex.html" />
    <link rel="search" title="搜索" href="../search.html" />
    <link rel="next" title="Django 1.7.5 release notes" href="1.7.5.html" />
    <link rel="prev" title="Django 1.7.7 release notes" href="1.7.7.html" />



 
<script src="../templatebuiltins.js"></script>
<script>
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);</script>

  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 3.2.6.dev 文档</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="1.7.7.html" title="Django 1.7.7 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.7.5.html" title="Django 1.7.5 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.7.6">
            
  <div class="section" id="s-django-1-7-6-release-notes">
<span id="django-1-7-6-release-notes"></span><h1>Django 1.7.6 release notes<a class="headerlink" href="#django-1-7-6-release-notes" title="永久链接至标题">¶</a></h1>
<p><em>March 9, 2015</em></p>
<p>Django 1.7.6 fixes a security issue and several bugs in 1.7.5.</p>
<div class="section" id="s-mitigated-an-xss-attack-via-properties-in-modeladmin-readonly-fields">
<span id="mitigated-an-xss-attack-via-properties-in-modeladmin-readonly-fields"></span><h2>Mitigated an XSS attack via properties in <code class="docutils literal notranslate"><span class="pre">ModelAdmin.readonly_fields</span></code><a class="headerlink" href="#mitigated-an-xss-attack-via-properties-in-modeladmin-readonly-fields" title="永久链接至标题">¶</a></h2>
<p>The <a class="reference internal" href="../ref/contrib/admin/index.html#django.contrib.admin.ModelAdmin.readonly_fields" title="django.contrib.admin.ModelAdmin.readonly_fields"><code class="xref py py-attr docutils literal notranslate"><span class="pre">ModelAdmin.readonly_fields</span></code></a> attribute in the Django
admin allows displaying model fields and model attributes. While the former
were correctly escaped, the latter were not. Thus untrusted content could be
injected into the admin, presenting an exploitation vector for XSS attacks.</p>
<p>In this vulnerability, every model attribute used in <code class="docutils literal notranslate"><span class="pre">readonly_fields</span></code> that
is not an actual model field (e.g. a <a class="reference external" href="https://docs.python.org/3/library/functions.html#property" title="(在 Python v3.9)"><code class="xref py py-class docutils literal notranslate"><span class="pre">property</span></code></a>) will <strong>fail to be
escaped</strong> even if that attribute is not marked as safe. In this release,
autoescaping is now correctly applied.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="永久链接至标题">¶</a></h2>
<ul class="simple">
<li>Fixed crash when coercing <code class="docutils literal notranslate"><span class="pre">ManyRelatedManager</span></code> to a string
(<a class="reference external" href="https://code.djangoproject.com/ticket/24352">#24352</a>).</li>
<li>Fixed a bug that prevented migrations from adding a foreign key constraint
when converting an existing field to a foreign key (<a class="reference external" href="https://code.djangoproject.com/ticket/24447">#24447</a>).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.7.6 release notes</a><ul>
<li><a class="reference internal" href="#mitigated-an-xss-attack-via-properties-in-modeladmin-readonly-fields">Mitigated an XSS attack via properties in <code class="docutils literal notranslate"><span class="pre">ModelAdmin.readonly_fields</span></code></a></li>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>

  <h4>上一个主题</h4>
  <p class="topless"><a href="1.7.7.html"
                        title="上一章">Django 1.7.7 release notes</a></p>
  <h4>下一个主题</h4>
  <p class="topless"><a href="1.7.5.html"
                        title="下一章">Django 1.7.5 release notes</a></p>
  <div role="note" aria-label="source link">
    <h3>本页</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/1.7.6.txt"
            rel="nofollow">显示源代码</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>快速搜索</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="转向" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">7月 23, 2021</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="1.7.7.html" title="Django 1.7.7 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.7.5.html" title="Django 1.7.5 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>